A secured authentication protocol which resist password reuse attack

Passwords are the powerful tools that tend to keep all data and information digitally safe. It is frequently noticed that text password remains predominantly popular over the other formats of passwords, due to the fact that it is simple and expedient. However, text passwords are not always sturdy enough and are very easily stolen and misused under different vulnerabilities. Other persons can obtain a text password when a person creates a weak password or a password that is completely reused in many sites. In this condition if one password is hacked, it can be used for all the websites. This is called the Domino Effect. Another unsafe situation is when a person enters his/her password in a computer that is not trust-worthy; the password is prone to stealing attacks such as phishing, malware and key loggers etc. Among the most significant current threats to online banking are keylogging and phishing. These attacks extract user identity and account information to be used later for unauthorized access to user's financial accounts. This paper proposes a user authentication protocol which leverages a user's Android Smartphone and short message service to resist password stealing and password reuse attacks. This protocol only requires each participating website possesses a unique phone number and users only need to remember a long-term password for login on all websites. To provide more security to Android Smartphone, an additional method called color pattern screen locking is also proposed in this paper.

[1]  Eli Biham,et al.  Conditional Estimators: An Effective Attack on A5/1 , 2005, Selected Areas in Cryptography.

[2]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[3]  Bruce Schneier,et al.  Two-factor authentication: too little, too late , 2005, CACM.

[4]  Michael K. Reiter,et al.  Bump in the Ether: A Framework for Securing Sensitive User Input , 2006, USENIX Annual Technical Conference, General Track.

[5]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[6]  Simson L. Garfinkel,et al.  Secure Web Authentication with Mobile Phones , 2004 .

[7]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[8]  Paul C. van Oorschot,et al.  Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer , 2007, Financial Cryptography.

[9]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[10]  Yung-Cheng Lee,et al.  Attack and Improvement on the One-Time Password Authentication Protocol Against Theft Attacks , 2007, 2007 International Conference on Machine Learning and Cybernetics.

[11]  Haining Wang,et al.  SessionMagnifier: a simple approach to secure and convenient kiosk browsing , 2009, UbiComp.

[12]  Bill Nugent Password-based authentication , 1987, SGSC.

[13]  Haibo Tian,et al.  Analysis of Two Types Deniable Authentication Protocols , 2009, Int. J. Netw. Secur..

[14]  Gaurav Agarwal,et al.  Password based authentication: Philosophical survey , 2010, 2010 IEEE International Conference on Intelligent Computing and Intelligent Systems.

[15]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[16]  Hung-Min Sun,et al.  oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks , 2012, IEEE Transactions on Information Forensics and Security.

[17]  Adrian Perrig,et al.  Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[18]  Alain Forget,et al.  Multiple password interference in text passwords and click-based graphical passwords , 2009, CCS.